Spoon: a Library for Implementing Analyses and Transformations Of

Spoon: A Library for Implementing Analyses and Transformations of Java Source Code Renaud Pawlak, Martin Monperrus, Nicolas Petitprez, Carlos Noguera, Lionel Seinturier

To cite this version:

Renaud Pawlak, Martin Monperrus, Nicolas Petitprez, Carlos Noguera, Lionel Seinturier. Spoon: A Library for Implementing Analyses and Transformations of Java Source Code. Software: Practice and Experience, Wiley, 2015, 46, pp.1155-1179. 10.1002/spe.2346. hal-01078532v2

HAL Id: hal-01078532 https://hal.inria.fr/hal-01078532v2 Submitted on 12 Sep 2015

HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés.

Distributed under a Creative Commons Attribution - ShareAlike| 4.0 International License Spoon: A Library for Implementing Analyses and Transformations of Java Source Code

Renaud Pawlak Martin Monperrus Nicolas Petitprez Carlos Noguera Lionel Seinturier

Abstract This article presents Spoon, a library for the analysis and transformation of Java source code. Spoon enables Java developers to write a large range of domain-speciﬁc analyses and transformations in an easy and concise manner. Spoon analyses and transformations are written in plain Java. With Spoon, developers do not need to dive into parsing, to hack a compiler infrastructure, or to master a new formalism.

1 Introduction

Compilers and interpreters analyze source code. But source code analysis is used in many more places [6]: it is used to compute metrics [17], to detect bad smells [18], to detect code clones [20]. Companies and open-source projects set up their own metrics and coding conventions [16]. This motivates a library for source code analysis that is usable by the masses of developers and not dedicated to compiler hackers. Beyond source code analysis, there is source code transformation. Source code transformation is a program transformation at the source code level, as opposed to program transformation done on binary code [8]. There are many usages of program transformation: profiling [41], security [11], optimization [28], refactoring [24]. As source code analysis, some source code transformations are written by normal Java developers. For instance, this happens when the transformation uses domain-specific knowledge [5]. This article presents Spoon, a library for the analysis and transformation of Java source code. Spoon enables Java developers to write a large range of domain-specific analyses and transformations in an easy and concise manner. Spoon analyses and transformations are written in plain Java. With Spoon, developers do not need diving to parse, to hack a compiler infrastructure, or to master a new formalism. The main features of Spoon are: 1. a Java metamodel for representing Java abstract syntax trees (AST) which is both easy to understand and easy to manipulate; 2. a first-class intercession programming interface (intercession API) to modify and generate Java source code; 3. the use of generic typing for static checking of the analyses and transformations;

1 4. the native and seamless integration and processing of Java annotations; 5. a pure Java statically-checked templating engine.

Taking these features all together, Spoon is unique for the following reasons. Feature #1 and #2 are not the focus of compiler infrastructures. We are not aware of leveraging generics for AST manipulation (Feature #3). Java annotations have been extensively discussed [14] but generic annotation processors are scarce (Feature #4). While many templating engines exists (e.g. Apache Velocity1), none provide static checking as our plain Java templates provide. The related work section5 deepens those points. This paper supersedes INRIA technical report #5901 [36], which has been completely rewritten. It contains a better explanation of the concepts using appropriate illustrative examples, the evaluation contains a section of the correctness of Spoon as well as three new case studies, and the related work is thoroughly analyzed (including the most recent papers). This article reads as follows. Section2 discusses the foundations of source code analysis in Spoon (the metamodel and the queries). Section3 presents our mechanisms for transforming source code. Section4 exposes case studies of fruitful usages of Spoon. Section5 discusses the related work. Section6 concludes and discusses future work.

2 Source Code Analysis with Spoon

The first goal of Spoon is to enable standard developers to write their own domain-specific analyses on source code. This requires: first, an intuitive metamodel understandable by the mass of Java developers (presented in Section 2.2), second, mechanisms to analyze source code elements. The latter is embodied by queries (Section 2.3) and processors for traversing the program under analysis (Section 2.4). But let us first give an overview of the library before going into the details of the Java metamodel of Spoon. Spoon is a meta-analysis tool, it provides software engineers with the primi- tives to write their own analyses. As such, Spoon does not any specific analysis such as dataflow analysis.

2.1 Overview of Spoon Figure1 gives the overview of our approach. A Java program is given as input. It is parsed with an off-the-shelf compiler in order to produce a first abstract syntax tree (AST). Then, Spoon simplifies the AST (deleting and cre- ating nodes), in order to provide users with an intuitive and easy-to-manipulate model of their program. This compile-time (CT) model is an instance of the Spoon metamodel. The analysis and transformation of programs are written as “program processors” and “templates”. A user-defined processor performs a specific action, such as a transformation on a kind of node, under a well-defined processing condition. The processing and templating engine takes them as input and applies them to the Java model as long as elements remain to be processed. Eventually, the Spoon model is translated back to source with a pretty-printer.

1http://velocity.apache.org

2 Java Program (source code) Processors for Analysis & Transformation

Parsing

Low-Level Abstract Syntactic Tree

AST Simplification

Processing & instance Spoon Java Model Spoon Meta-Model Templating Engine

Java Syntax Printing

Transformed Java Program

Figure 1: Overview of Spoon: Java Programs are transformed and analyzed as models of the Spoon Java metamodel..

This pretty printer preserves API comments and removed in-body comments (because they are not part of the metamodel).

2.2 The Spoon Metamodel of Java A programming language can have different metamodels. An abstract syntax tree (AST) or model, is an instance of a metamodel. Each metamodel – and consequently each AST – is more or less appropriate depending on the task at hand. In this paper, we focus on Java and consequently on Java metamodels. For instance, the Java metamodel of Sun’s compiler (javac) has been designed and optimized for compilation to bytecode, while, the main purpose of the Java metamodel of the Eclipse IDE (JDT) is to support different tasks of software development in an integrated manner (code completion, quick fix of compilation errors, debug, etc.). Unlike a compiler-based AST (e.g. from javac), the Spoon metamodel of Java is designed to be easily understandable by normal Java developers, so that they can write their own program analyses and transformations. The Spoon metamodel is complete in the sense that it contains all the required information to derive compilable and executable Java programs (hence contains annotations, generics, and method bodies). The Spoon metamodel can be split in three parts. The structural part (Figure2) contains the declarations of the program elements, such as interface, class, variable, method, annotation, and enum declarations. The code part (Figure3) contains the executable Java code, such as the one found in method bodies. The reference part models the references to program elements (for instance a reference to a type). As shown in Figure2, all elements inherit from CtElement which declares a parent element denoting the containment relation in the source file. For instance, the parent of a method node is a class node. All names are prefixed by “CT”

3 Figure 2: Excerpt of the structural part of the Spoon Java 5 metamodel. which means “compile-time”. Figure3 shows the metamodel for Java executable code. Because of the complexity of the Java language, the code metamodel figure contains only an excerpt of all classes. There are two main kinds of code elements. First, the statements (CtStatement) are untyped top-level instructions that can be used directly in a block of code. Second, the expressions (CtExpression) are used inside the statements (for sake of readability, this can not be seen on the figure). For instance, a CtLoop (which is a statement) points to a CtExpression which expresses its boolean condition. Some code elements such as invocations and assignments are both statements and expressions (multiple inheritance links). Concretely, this is translated as an interface CtInvocation inheriting from both interfaces CtStatement and CtExpression. The generic type of CtExpression is used to add static type-checking when transforming programs. This will be explained in details in Section 3.2. The reference part of the metamodel expresses the fact that program references elements that are not necessarily reified into the metamodel (they may belong to third party libraries). For instance, an expression node returning a String is bound to a type reference to String and not to the compile-time model of String.java since the source code of String is (usually) not part of the application code under analysis. In other terms, references are used by metamodel elements to reference elements in a weak way. Weak references make it more flexible to construct and modify a program model without having to get strong references on all referred elements. References are resolved when the model is built, the resolved references are those that point to classes for which the source code is available in the Spoon input path. Since the references are weak, the targets of references do not have to exist before one references them. The price to pay for this low coupling is that to navigate from one code element to another, one has to chain a navigation to the reference and then to the target. For instance, to navigate from a field to the type of the field, one writes field.getType().getDeclaration().

4 Figure 3: Excerpt of the code part of the Spoon Java 5 metamodel.

Figure 4: A GUI to understand and learn the Spoon metamodel

2.3 Quering Source Code Elements Spoon aims at giving developers a way to query code elements in one single line of code in the normal cases. Classical research about code querying uses specific ad hoc languages [2]. On the contrary, code query is Spoon is done in plain Java, in the spirit of an embedded DSL. The information that can be queried is that of a well-formed typed AST. For this, we provide the query API, based on the notion of “Filter”. A Filter defines a predicate of the form of a matches method that returns true if an element is part of the filter. A Filter is given as parameter to a depth-first search algorithm. During AST traversal, the elements satisfying the matching predicate are given to the developer for subsequent treatment. Table1 gives an excerpt of built-in filters. Listing1 gives an example of client code. Three filters are used. The first returns all AST nodes of type “Assignment”. The second one selects all deprecated classes. The last one is a user-defined filter that only matches public fields across all classes. To guide the user in learning the metamodel, two pieces of information are

5 TypeFilter returns all metamodel elements of a certain type (e.g. all assignment statements) FieldAccessFilter returns all accesses to a given ﬁeld AnnotationFilter returns all elements annotated with a given annotation type ReturnOrThrowFilter returns all elements that ends the execution ﬂow of a method

Table 1: Excerpt of Built-in Filters for Querying Source Code Elements.

// collecting all assignments ofa method body 1 §list1 = methodBody.getElements( new TypeFilter(CtAssignment. class )); 2 3 // collecting all deprecated classes 4 list2 = rootPackage.getElements( new AnnotationFilter(Deprecated. class )); 5 6 // creatinga custom filter to select all public fields 7 list3 = rootPackage.getElements( 8 new AbstractFilter(CtField. class ){ 9 @Override 10 public boolean matches(CtField field) { 11 return field.getModifiers.contains(ModifierKind.PUBLIC); 12 } 13 } 14 ); 15 Listing 1: Examples of Concise yet Non Trivial Queries to Collect Code Ele- ments. ¥

available. First, the user is given a graphical user interface, that provides a navigable view of the Spoon AST of the program under analysis. A screenshot of this GUI is given in Figure4. Second, the metamodel is carefully designed so that the user can discover the metamodel through method calls. The object- orientation of the Spoon metamodel is appropriate for this. For instance, statement ((CtIf)method.getBody().getStatement(0)).getThenStatement() nav- igates from a method object to the then statement of the ﬁrst if.

2.4 Processing Code Elements A program analysis is a combination of query and analysis code. In Spoon, this conceptual pair is reified in a “processor”. A Spoon program processor is a class that focuses on the analysis of one kind of program elements. For instance, Listing2 presents a processor that analyzes a program to find empty catch blocks. The elements to be analyzed (here catch blocks), are given by generic typing: the programmer declares the AST node type under analysis as class generics. The processed element type is automatically inferred through runtime intro- spection of the processor class. There is also an optional overridable method for querying elements at a finer grain. The process method takes the requested element as input and does the analysis (here detecting empty catch blocks). Since a real world analysis combines multiple queries, multiple processors can be used at the same time. The launcher applies them in the order they have been declared. Processors are implemented with a visitor design pattern [33] applied to

6 public class CatchProcessor extends AbstractProcessor { 1 § @Override 2 public void process(CtCatch element) { 3 if (element.getBody().getStatements().size() == 0) { 4 System.err.println("empty␣catch␣clause␣at␣"+element.getPosition()); 5 } 6 }} 7 Listing 2: Analysis Code to Detect Empty Catch Blocks. No More Code is Required to Run the Analysis on Millions of Lines of Code. ¥

the Spoon Java model. Each node of the metamodel implements an accept method so that it can be visited by a visitor object, which can perform any kind of action, including modiﬁcation. Spoon provides developers with an intuitive Java metamodel and concise abstractions to query and process AST elements.

3 Source Code Transformation with Spoon

Spoon has been designed to facilitate source code transformation. For this, four mechanisms are provided: ﬁrst-class intercession mechanisms (Section 3.1), the use of generics (Section 3.2), the notion of statically checked templates (Section 3.3), and the use of annotations (Section 3.4).

3.1 First Class Intercession Mechanisms For transforming programs, Spoon provides first-class intercession mechanisms at different levels. At the structural level, Spoon enables one to add and remove types in packages, as well as fields and methods in types. At the behavioural level, Spoon enables one to modify any part of the code. For instance, one can add pre-conditions in methods, or add logging in catch blocks in an automated manner. Table2 provides an overview of the main intercession methods of Spoon. All intercession methods take as parameter one or several AST nodes. However, for adding code only, for sake of pragmatism, Spoon enables one to manipulate code strings encapsulated in a special object: a “code snippet”. In order for code snippets to seamlessly integrate with the existing AST-level intercession method, in the metamodel, a code snippet is a subclass of an AST node. Let us now discuss the concrete example of Listing3. It shows the code of a processor that adds logging in order to detect null method parameters. The processor processes CtParameter (the metamodel type representing method parameters). It creates a snippet representing an “if/then” statement that checks the value of the parameter. It then adds this piece of code at the beginning of the method body corresponding to this parameter. Note that when several parameters are declared, all are processed and the checks are inserted in the same body in the order they are declared in the method signature (one can also write a sophisticated transformation to change this order). This is the only code to write. The command-line based launcher takes as input the processor name (in this case NullLoggerProcessor) as well as a folder containing the code to be transformed and then applies the transformation.

7 Scope Name Description generic replace(element) replaces an element by another one. generic insertBefore(element) inserts the current element (“this”) before another element in a code block. generic insertAfter(element) inserts the current element (“this”) after another element in a code block. block insertBegin(element) adds an element at the begin of a code block. block insertEnd(element) appends an element at the end of a code block. throw setThrownExpression(expr) sets the expression returning a throwable object. assignment setAssignment(expression) sets the expression to be assigned in a variable. if setCondition(expression) sets the conditional expression of an if. if setThenStatement(stmt) sets the “then” statement of an if/then/else if setElseStatement(stmt) sets the “else” statement of an if/then/else.

Table 2: Excerpt of AST Intercession Methods of Spoon.

Spoon provides the developer with ﬁrst-class intuitive intercession methods.

3.2 Use of Generic Typing for Static Checking of Trans- formations When manipulating an AST with intercession methods, well-formedness rules must be enforced so as to produce compilable code. For instance, a throw statement contains an expression that necessarily returns an exception object (in Java, an instance of Throwable). There are three ways of detecting violations of those well-formedness rules: statically when writing the code manipulation code, dynamically when applying the transformation, or by verifying that the generated code actually compiles. We believe that static checking is the best solution, since it gives instant feedback to the developer.

3.2.1 Static Checks of Intercession Methods. In Spoon, we use Java generics to statically enforce the AST well-formedness rules. For instance, Listing4 shows how we statically enforce that the expression of a throw statement is a valid exception object: the parameter of method setThrownExpression is typed by CtExpression. More generally, as shown in Figure3, an expression ( CtExpression) has a type parameter T. This enables to statically enforce well-formedness rules at many places: the condition expression of an if statement or a loop must return a boolean;

8 /** Logs"null" passed as parameter*/ 1 §public class NullLoggerProcessor extends 2 AbstractProcessor> { 3 4 @Override 5 public void process(CtParameter element) { 6 // we declarea new snippet of code to be inserted 7 CtCodeSnippetStatement snippet = createCodeSnippetStatement(); 8 9 // this snippet contains an if check 10 snippet.setValue("if("+ element.getSimpleName() +"␣==␣null)␣" 11 +"Logger.log(\"null␣passed␣in␣"+ element.getSimpleName() +"\");"); 12 13 // we insert the snippet at the beginning of the method body 14 element.getParent(CtMethod. class ).getBody().insertBegin(snippet); 15 } 16 17 } 18 Listing 3: A Code Transformation That Logs null Passed as Parameter. A Code Snippet is Built Iteratively and Eventually Injected in the Method Body. ¥

public interface CtThrow extends CtCFlowBreak { 1 § // intercession method with static checking 2 // of wellformedness rules 3 void setThrownExpression(CtExpression thrownExpr); 4 } 5 Listing 4: Using Generic Typing to Statically Enforce Correct AST Construc- tion. ¥

in an assignment, the generic type of the expression to be assigned must be compatible with the type of type variable, etc. The same technique is applied by the class Class of Java for reﬂection. Spoon’s use of Java Generics enables one to statically check the AST intercession code.

3.2.2 Statically Veriﬁable Domain-Speciﬁc Transformations. As shown previously, many intercession methods use generic typing to enforce well-formedness rules. The very same generic typing can be used to statically verify the composition of AST nodes referring to domain classes. For instance, let us assume that one manipulates classes in the Book domain (with domain classes such as Book and Author). Generic typing enables one to declare a variable as referring to an author instance, and to enforce that the expression initializing that variable indeed returns an author instance. This is illustrated in Listing5, where the last line triggers a compilation error because one tries to set an expression that returns a book in a variable that expects an author.

3.3 Statically Type-Checked Code Templating for Java We have seen so far two ways of writing code transformations. First, one can use the intercession API to manipulate AST objects. Second, one can generate code snippets using text fragments. Both have the same limitation: there is no way to be sure, before the actual transformation, that the transformed code will be compilable.

9 // declaring one variable representinga local variable typed by Author 1 §CtLocalVariable varDecl = createLocalVariableDecl(); 2 // declaring one expression returning an Author object 3 CtExpression expression1 = createExpression(); 4 //declaring one expression returninga Book object 5 CtExpression expression2 = createExpression(); 6 7 // calling intercession method"setDefaultExpression" 8 varDecl.setDefaultExpression(expression1);// compile 9 varDecl.setDefaultExpression(expression2);//DOESNOTCOMPILE 10 Listing 5: Using Generic Typing to Statically Enforce Correct AST Construction with respect to Domain Classes ¥

<> <>

Java Program (source code) Template code (source code)

Program Model Template Model

Template Engine

<> Transformed Java Program

Figure 5: Overview of Spoon’s Templating System.

Spoon provides developers with a third way of writing code transformations: code templates. Those templates are statically type-checked, in order to ensure statically that the generated code will be correct. Our key idea behind Spoon templates is that they are regular Java code. Hence, the type-checking is that of the Java compiler itself. A Spoon template is a Java class that is type-checked by the Java compiler, then taken as input by the Spoon templating engine to perform a transformation. This is summarized in Figure5.A Spoon template can be seen as a higher-order program, which takes program elements as arguments, and returns a transformed program. Like any function, a template can be used in diﬀerent contexts and give diﬀerent results, depending on its parameters.

3.3.1 Template Definition Listing6 defines a Spoon template. This template specifies a statement (in method statement) that is a precondition to check that a list is smaller than a certain size. This piece of code will be injected at the beginning of all methods dealing with size-bounded lists. This template has one single template parameter called _col_, typed by TemplateParameter. In this case, the template parameter is meant to be an expression (CtExpression) that returns a Collection (see constructor, line 3). All metamodel classes, incl. CtExpression, implement

10 public class CheckBoundTemplate extends StatementTemplate { 1 § TemplateParameter> _col_; 2 @Override 3 public void statement() { 4 if (_col_.S().size() > 10) 5 throw new OutOfBoundException(); 6 } 7 } 8 Listing 6: An example of template in Spoon. If the template compiles, the transformed code compiles. ¥

// creatinga template instance 1 §Template t = new CheckBoundTemplate(); 2 t._col_ = createVariableAccess(method.getParameters().get(0)); 3 4 // getting the finalAST 5 CtStatement injectedCode = t.apply(); 6 7 // adds the bound check at the beginning ofa method 8 method.getBody().insertBegin(injectedCode); 9 Listing 7: Using a template to inject code at the beginning of a method. ¥

interface TemplateParameter. A template parameter has a special method (named S, for Substitution) that is used as a marker to indicate the places where a template parameter substitution should occur. For a CtExpression, method S() returns the return type of the expression. A method S()is never executed, its only goal is to get the template statically checked. Instead of being executed, the template source code is taken as input by the templating engine (see Figure5) which is described above. Consequently, the template source is well-typed, compiles, but the binary code of the template is thrown away. There are three kinds of templates: block templates, statement templates and expression templates. Their names denote the code grain they respectively address.

3.3.2 Template Instantiation In order to be correctly substituted, the template parameters need to be bound to actual values. This is done during template instantiation. Listing7 shows how to use the check-bound of template of Listing6. One first instantiates a template, then one sets the template parameters, and finally, one calls the template engine. In Listing7, last line, the bound check is injected at the beginning of a method body. Since the template is given the first method parameter which is in the scope of the insertion location, the generated code is guaranteed to compile. The Java compiler ensures that the template compiles with a given scope, the developer is responsible for checking that the scope where she uses template-generated code is consistent with the template scope.

11 public class TryCatchOutOfBoundTemplate 1 § extends BlockTemplate { 2 TemplateParameter _body_;// the body to surround 3 4 @Override 5 public void block () { 6 try { 7 _body_.S(); 8 } catch (OutOfBoundException e) { 9 e.printStackTrace(); 10 } 11 }} 12 Listing 8: A template to inject try/catch blocks ¥

// with TemplateParameter // with literal template parameter TemplateParameter val; @Parameter ... int val ; val = Factory.createLiteral(5); ...... val = 5; if (list.size()>val.S()) {...} ... if (list.size()>val) {...}

Figure 6: Two equivalent excerpts of templates. The left-hand side one use Tem- plateParameter, the right-hand side one is more concise thanks to @Parameter.

3.3.3 Template Substitution The substitution engine uses the metamodel and querying API presented in Sec- tion 2.3 to look up all invocations of method S(). It then substitutes them by the template parameter instances. Here, if _col_ represents the method parameter x, the substitution modiﬁes the model to return the expression “x.size()>10” expression. If _col_ stands for an expression that returns a collection (say getCollection()), the substitution result is “getCollection ().size()>10”.

3.3.4 What can be Templated? All metamodel elements can be templated. For instance, one can template a try/catch block as shown in Listing8. This template type-checks, and can be used as input by the substitution engine to wrap a method body into a try/catch block. The substitution engine contains various methods that implement diﬀer- ent substitution scenarios. For instance, method insertAllMethods inserts all the methods of a template in an existing class. It can be used for instance, to inject getters and setters.

3.3.5 Literal Template Parameters We have already seen one kind of template parameter (TemplateParameter). Sometimes, templates are parameterized literal values. This can be done with a template parameter set to a CtLiteral, for instance, For convenience, Spoon provides developers with another kind of template parameters called literal template parameters. When the parameter is known to

12 Intercession API Well-suited for ﬁne-grain, surgical transformations. Cumbersome for inserting new code. Code snippets Well-suited for code injection. Fragile when complex conditionals are used. Templates Well-suited for large-scale transformations. Hard to learn and master.

Table 3: The Three Complementary Mechanisms for Code Transformation in Spoon be a literal (primitive types, String, Class or a one-dimensional array of these types), a template parameter enables one to simplify the template code. To indicate to the substitution engine that a given field is a template parameter, it has to be annotated with a @Parameter annotation. Figure6 illustrates this feature with two equivalent templates. By using a literal template parameter, it is not necessary to call the S() method for substitution: the templating engine looks up all usages of the field annotated with @Parameter. The listing above shows those differences.

3.3.6 Summary To sum up, Spoon templates are regular Java code. Since they type-check successfully, they ensure that the transformed code actually compiles. It is complementary to the intercession API and the code snippets. Depending on the transformation and the amount of time given to write it, they all have pros and cons, as summed up in Table3. The intercession API is well-suited for ﬁne-grain, surgical transformations but cumbersome for inserting lots of new code. Code snippets are very handy for code injection, however, in complex transformations with many conditionals, they may result in incorrect code. The templates provides strong static checks with respect to the transformed code. However, the price to pay is that they have a longer learning curve required to master them. Again, they are complementary, one can use them in conjunction in the same transformation.

3.4 Annotation-Driven Program Processors We now discuss how Spoon deals with the processing of annotations. Java annotations enable developers to embed metadata in their programs. Although by themselves annotations have no explicit semantics, they can be used by frameworks as markers for altering the behavior of the programs that they annotate. This interpretation of annotations can result, for example, on the configuration of services provided by a middleware platform or on the alteration of the program source code. Annotation processing is the process by which a pre-processor modifies an annotated program as directed by its annotations during a pre-compilation phase. The Java compiler offers the possibility of compile-time processing of annotations via the API provided under the javax.annotation.processing package. Classes implementing the javax.annotation.processing.Process interface are used by the Java compiler to process annotations present in a client program. The client code is modeled by the classes of the javax.lang.model

13 @Target({ElementType.PARAMETER}) 1 §@Retention(RetentionPolicy.SOURCE) 2 public @interface NotNull{} 3 4 class Person { 5 public void marry(@NotNull Person so){ 6 if (!so.isMarried()) 7 //Marrying logic... 8 } 9 } 10 Listing 9: Deﬁnition and Use of a Java Annotation at the Method Parameter Level. ¥

package (although Java 8 has introduced finer-grained annotations, but not on any arbitrary code elements). It is partially modeled: only types, methods, fields and parameter declarations can carry annotations. Furthermore, the model does not allow the developer to modify the client code, it only allows adding new classes. The Spoon annotation processor overcomes those two limitations: it can handle annotations on any arbitrary code elements (including within method bodies), and it supports the modification of the existing code.

3.4.1 Annotation Processing with Spoon. Spoon provides developers with a way to specify the analyses and transformations associated with annotations. Annotations are metadata on code that start with @ in Java. For example, let us consider the example of a design-by-contract annotation. The annotation @NotNull, when placed on arguments of a method, will ensure that the argument is not null when the method is executed. Listing 9 shows both the definition of the @NotNull annotation type, and an example of its use. The @NotNull annotation type definition carries two meta-annotations (annotations on annotation definitions) stating which source code elements can be annotated (line 1), and that the annotation is intended for compile-time processing (line 2). The @NotNull annotation is used on the argument of the marry method of the class Person. Without annotation processing, if the method marry is invoked with a NULL reference, a NullPointerException would be thrown by the Java virtual machine when invoking the method isMarried in line 7. The implementation of such an annotation would not be straightforward using Java’s processing API since it would not allow us to just insert the NULL check in the body of the annotated method.

3.4.2 The Annotation Processor Interface. In Spoon, the full code model (c.f. Section 2.2) can be used for compile- time annotation processing [35]. To this end, Spoon provides a special kind of processor called AnnotationProcessor whose interface is:

public interface AnnotationProcessor 1 § 2 extends Processor { 3 void process(A annotation, E element); 4

14 class NotNullProcessor extends 1 § AbstractAnnotationProcessor { 2 3 public NotNullProcessor(){ 4 addConsumedAnnotationType(NotNull. class ); 5 addProcessedAnnotationType(NotNull. class ); 6 } 7 8 @Override 9 public void process(NotNull anno, CtParameter param){ 10 CtMethod method = param.getParent(CtMethod. class ); 11 CtBlock body = method.getBlock(); 12 CtAssert assertion = constructAssertion(param.getSimpleName()); 13 body.insertBegin(assertion); 14 } 15 Listing 10: The Processor That Injects Assertions to Check the Validity of @NotNull Annotations. ¥

boolean inferConsumedAnnotationType(); 5 Set> getProcessedAnnotationTypes(); 6 Set> getConsumedAnnotationTypes(); 7 } 8

Annotation processors extend normal processors by stating the annotation ¥ type those elements must carry (type parameter A), in addition of stating the kind of source code element they process (type parameter E). The process method (line 4) receives as arguments both the CtElement and the annotation it carries. The remaining three methods (getProcessedAnnotationTypes, getConsumedAnnotationTypes and inferConsumedAnnotationTypes) conﬁg- ure the visiting of the AST during annotation processing. The Spoon annotation processing runtime is able to infer the type of annotation a processor handles from its type parameter A. This restricts each processor to handle a single annotation2. To avoid this restriction, a developer can override the inferConsumedAnnotationType() method to return false. When doing this, Spoon queries the getProcessedAnnotationTypes() method to ﬁnd out which annotations are handled by the processor. Finally, the getConsumedAnnotationTypes() returns the set of processed annotations that are to be consumed by the annotation processor. Consumed annotations are not available in later processing rounds. Similar to standard processors, Spoon provides a default abstract implementation for annotation processors: AbstractAnnotationProcessor. It provides facilities for maintaining the list of consumed and processed annotation types, allowing the developer to concen- trate on the implementation of the annotation processing logic.

Going back to our @NotNull example, we implement a Spoon annotation processor that processes and consumes @NotNull annotated method parameters, and modiﬁes the source code of the method by inserting an assert statement that checks that the argument is not null. The NotNullProcessor (Listing 10) leverages the default implementation provided by the AbstractAnnotationProcessor and binds the type variables representing the annotation to be processed and the annotated code elements to NotNull and CtParameter respectively. Then, in the class constructor, it

2Java does not allow annotations to extend other annotations.

15 conﬁgures the annotation types it is interested in by adding them to the lists provided by its super class (lines 5 and 6). The actual processing of the annotation is implemented in the process(NotNull,CtParameter) method (lines 10-13). Annotated code is transformed by navigating the AST up from the annotated parameter to the owner method, and then down to the method’s body code block (lines 10 and 12). The construction of the assert statement is del- egated to a helper method constructAssertion(String), taking as argument the name of the parameter to check. This helper method constructs an instance of CtAssert (by either programmatically constructing the desired boolean expression, or employing the templating facilities explained in Section 3.3). Having obtained the desired assert statement, it is injected at the beginning of the body of the method.

More complex annotation processing scenarios can be tackled with Spoon. For example, when using the @NotNull annotation, the developer is still responsible for manually inspecting which method parameters to place the annotation on. A common processing pattern is then to use regular Spoon processors to auto-annotate the application’s source code. Such a processor, in our running example, can traverse the body of a method, looking for expressions that send messages to a parameter. Each of these expressions has as hypothesis that the parameter’s value is not null, and thus should result in the parameter being annotated with @NotNull. With this processing pattern, the programmer can use an annotation processor in two ways: either by explicitly and manually annotating the base program, or by using a processor that analyzes and annotates the program for triggering annotation processors in an automatic and implicit way. This design decouples the program analysis from the program transformation logics, and leaves room for manual conﬁguration. A second complex use of annotation processing in Spoon is presented in the evaluation section (see Section 4.3.3).

4 Evaluation

We now present an evaluation of Spoon. The evaluation is composed of three parts: correctness (4.1), performance (4.2), and case studies (4.3).

4.1 Correctness The core of an AST-based source code analysis tool as Spoon is made of two components: a model of the program and a pretty-printer. For real-world and rich programming languages, it is hard to achieve a model that provably covers all parts of the language. Similarly, it is very diﬃcult to prove that all pretty- printed versions of all valid models would be valid programs that 1) correspond to the original one, and 2) can be compiled and executed. To validate the correctness of those two components, we set up the following experiments: ﬁrst, we collect a dataset of open-source programs; second, for each subject programs, we build the model from the original source code and we then pretty-print back as source code; third, we compile the pretty-printed

16 source code; fourth, we run the test suite of the pretty-printed program to check whether the program has still the same observable semantics. This process hence has two stacked correctness oracles: the compiler, and the test suite. If all programs can be represented as a model whose pretty-printed version can be compiled and executed, this gives strong confidence in both the correctness of the model and of the pretty-printer. The test suite ensures that the model indeed corresponds to the original program. We searched in software forges software packages that meet the following inclusion criteria: the program is open-source; the program is written in Java; the program contains a good test suite. Also, the better the program test suite is, the better the correctness oracle is. Hence, we take a special care of selecting programs that are well-tested. Note that the test suite is not pretty-printed in order to keep the exact same specification and avoid biases. This process results in 13 software applications: Bukkit; Commons-codec; Commons-collections; Commons-imaging; Commons-lang; DiskLruCache; Java- writer; Joda time; Jsoup; JUnit; Mimecraft; Scribe Java; Spark. An archive containing the source code of those subjects is available as supplementary ma- terial. Table4 gives the key descriptive statistics for this dataset: the commit id (the digest of the commit in the Git version control system, necessary for future replication), the size in number of statements (a semantic Line-of-Code measure, that we also call LOC in this paper), and the number of tests (as defined by the JUnit test framework: the number of test methods). The smallest programs have less than 1000 LOC and the biggest program has 31k LOC. The total is 166 079 statements. The number of test cases ranges from 14 to 15 067.